{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/usb/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["initial-access","exfiltration","windows","registry","usb"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the first-time appearance of removable devices on a Windows system by monitoring registry modifications. While not inherently malicious, the activity can indicate potential data exfiltration over removable media or initial access attempts using malware delivered via USB. The rule specifically looks for registry events with the \u0026ldquo;FriendlyName\u0026rdquo; value associated with USB storage devices (\u0026ldquo;USBSTOR\u0026rdquo;). This helps in identifying potentially unauthorized devices connected to the system. The detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user connects a removable device (e.g., USB drive) to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe operating system detects the new device and attempts to enumerate its properties.\u003c/li\u003e\n\u003cli\u003eThe system queries the registry for device-specific settings, including the \u0026ldquo;FriendlyName,\u0026rdquo; under the \u003ccode\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eIf the device is new to the system, the registry is modified to record the device\u0026rsquo;s information, including its friendly name.\u003c/li\u003e\n\u003cli\u003eThe event generates a registry modification event, which is logged by Sysmon, Elastic Defend, Microsoft Defender XDR, or SentinelOne.\u003c/li\u003e\n\u003cli\u003eAn attacker may use the USB device to deploy malware or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker copies files to the USB device.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the USB device, completing the exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and data exfiltration via USB can lead to the loss of sensitive information, intellectual property theft, or the introduction of malware into the network. Although this alert is low severity, multiple alerts across the environment may indicate an active campaign. The detection focuses on registry modifications, which are early indicators of device connection, allowing for proactive monitoring and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect registry modifications related to USB devices and activate the Sigma rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to your SIEM to detect and monitor first-time seen USB devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, correlating with user activity and file access events.\u003c/li\u003e\n\u003cli\u003eMaintain a list of approved USB devices and create exceptions for them in the monitoring system to reduce false positives as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for subsequent file access or transfer events involving the new device as described in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-first-time-usb/","summary":"Detection of newly seen removable devices via Windows registry modification events can indicate data exfiltration attempts or initial access via malicious USB drives.","title":"First Time Seen Removable Device Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-usb/"}],"language":"en","title":"CraftedSignal Threat Feed — Usb","version":"https://jsonfeed.org/version/1.1"}